Page Comparison

TABLE

Office365ExchangeItemGroup

RECORDTYPE

Based on RecordType, where this field indicates the operation performed by the record.
For this log type its value is 3.
See more details about RecordType For available RecordType values, you can visit Microsoft’s documentation here.

APPID

Based on AppId, there’s no available documentation for this field.

CLIENTAPPDID

Based on ClientAppId, there’s no available documentation for this field.

LOGONTYPE

Based on LogonType, where this field indicates the type of user who accessed the mailbox and performed the operation that was logged.

INTERNALLOGONTYPE

Based on InternalLogonType, where this field indicates where it is for internal use.

MAILBOXGUID

Based on MailboxGuid, where this field contains the Exchange GUID of the mailbox that was accessed.

MAILBOXOWNERUPN

Based on MailboxOwnerUPN, where this field contains the email address of the person who owns the mailbox that was accessed.

MAILBOXOWNERSID

Based on MailboxOwnerSid, where this field contains the SID of the mailbox owner.

MAILBOXOWNERMASTERSID

Based on MailboxOwnerMasterAccountSid, where this field contains the Mailbox owner account's master account SID.

LOGONUSERSID

Based on LogonUserSid, where this field contains the SID of the user who performed the operation.

LOGONUSERNAME

Based on LogonUserDisplayName, where this field contains the user-friendly name of the user who performed the operation.

EXTERNALACCESS

Based on ExternalAccess, where this field when set to true means that the logon user's domain is different from the mailbox owner's domain.

ORIGINATINGSERVER

Based on OriginatingServer, where this field contains the details where the operation originated.

ORGNAME

Based on OrganizationName, where this field contains the name of the tenant.

CLIENTINFO

Based on ClientInfoString, where this field contains the information about the email client that was used to perform the operation, such as a browser version, Outlook version, and mobile device information.

CLIENTADDR

Based on ClientIPAddress, where this field contains the IP address of the device that was used when the operation was logged.
The IP address is displayed in either an IPv4 or IPv6 address format.

CLIENTMACHINE

Based on ClientMachineName, where this field contains the machine name that hosts the Outlook client.

CLIENTPROCESS

Based on ClientProcessName, where this field contains the email client that was used to access the mailbox.

CLIENTVERSION

Based on ClientVersion, where this field contains the version of the email client.

CLIENTREQID

Based on ClientRequestId, there’s no available documentation for this field.

SESSIONID

Based on SessionId, there’s no available documentation for this field.

DIR

Based on Folder, where this field contains the folder where a group of items is located.

CROSSMBOPERATION

Based on CrossMailboxOperation, where this field indicates if the operation involved more than one mailbox.

DESTMBID

Based on DestMailboxId, where this field specifies the target mailbox GUID.

DESTMBUPN

Based on DestMailboxOwnerUPN, where this field specifies the UPN of the owner of the target mailbox.

DESTMBSID

Based on DestMailboxOwnerSid, where this field contains the specifies the SID of the target mailbox.

DESTMBMASTERSID

Based on DestMailboxOwnerMasterAccountSid, where this field contains the specifies the SID for the master account SID of the target mailbox owner.

DESTDIR

Based on DestFolder, where this field contains the destination folder, for operations such as Move.

SRCDIRS

Based on ClientProcessName, where this field contains the information about the source folders involved in an operation

AFFECTEDITEMS

Based on AffectedItems, where this field contains the information about affected item(s) in the group.

SNAREDATAMAP

All unclassified field(s) parsed from this log type will be pushed into the SNAREDATAMAP.